LastPass: New Details Emerge from Second Security Breach of 2022
Category: Data Breach | Industry: Technology | Level: Strategic | Source: LastPass
LastPass provided additional details about a "coordinated secondary breach," during which an unauthorized actor gained entry into and exfiltrated data from the company's Amazon AWS cloud storage servers for over two months. The threat actors leveraged data obtained from the first breach in August 2022, to access collected and exfiltrated data from August 12th, 2022, to October 26th, 2022. Part of the stolen data included partially encrypted password vault data and customer information. The threat actors became aware that only four LastPass DevOps engineers possessed access to decryption keys, the threat actors then proceeded to focus on one of the engineers. This resulted in the installation of a keylogger on the DevOps engineer's home workstation following the exploit of third-party software using a remote code execution vulnerability.
"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gained access to the DevOps engineer's LastPass corporate vault," as detailed in LastPass's security advisory. "The threat actor then exported the native corporate vault entries and content of shared folders, containing encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups." Initially, Lastpass had difficulty in their investigation discerning the threat actors’ activity as they used valid credentials however AWS GuardDuty alerts were able to alert on the anomalous activity.
Although LastPass has since enhanced its security measures by implementing credential and authentication key/token rotations, certificate revocation increased logging and alerting, and the enforcement of more stringent security protocols a large volume of data has been compromised. The extent data exposed in the breach includes DevOps secrets, configuration data housed in cloud-based backup storage containing third-party integration secrets a backup of LastPass MFA/Federation Database which includes Multi-Factor Authentication (MFA) seeds, and Split Knowledge Component ("K2") keys for Federated business clients.